Build(deps): [Security] Bump @ckeditor/ckeditor5-font from 16.0.0 to 28.0.0

[dependabot-preview]

Bumps @ckeditor/ckeditor5-font from 16.0.0 to 28.0.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regular expression Denial of Service in multiple packages

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Affected versions: <= 26.0.0

Release notes

Sourced from @​ckeditor/ckeditor5-font's releases.

v28.0.0

Release highlights

We are happy to announce the release of CKEditor 5 v28.0.0.

This release introduces several new features:

• The Revision History feature, that allows the users to create, view and restore named content versions.
• The possibility to add captions to tables.
• The ability to specify the default properties for tables and table cells.
• The new allowChildren property for the data schema item definition.
• The Export to PDF and Export to Word features are now enabled in the read-only mode.
• Introducing the plugin metadata and documenting the HTML output of all editor features.

There were also a few bug fixes:

• Word can now properly open a file with nested tables exported from CKEditor 5.
• Pasting in the horizontal caret no longer replaces the widget.
• Correcting spelling in a list does not throw an error anymore.
• Toolbar navigation with the keyboard works in the right direction in an RTL text.
• The media embed supports whichever URL scheme for Google Maps.

MAJOR BREAKING CHANGES

Note: Check out the Migration to CKEditor 5 v28.0.0 guide for more detailed information on how to upgrade to the current version.

• All the packages use multiple exports instead of the one object in the src/index.js file. The list of affected packages.

MINOR BREAKING CHANGES ℹ️

• engine: Styles definitions for the border:* property produced by the StylesProcessor will now be merged as a single border:* property if all its properties (width, style, and color) for all edges (top, right, bottom, left) are the same.
• table: The TablePropertiesView and TableCellPropertiesView classes require additional property in the object as the second constructor argument (options.defaultTableProperties for the table and options.defaultTableCellProperties for table cells).
• table: The upcastBorderStyles() conversion helper requires a third argument called defaultBorder. The object defines the default border (width, color, style) properties.
• table: The following conversion helpers: upcastStyleToAttribute(), downcastAttributeToStyle(), downcastTableAttribute() accept two arguments now (the conversion and the options objects). Previous usage: conversionHelper( conversion, /* ... */ ) should be replaced with conversionHelper( conversion, { /* ... */ } ).
• table: Values for the borderColor, borderStyle, borderWidth, and padding model attributes are unified (to values produced by the editor itself) while upcasting the table or table cells if all sides (top, right, bottom, and left) have the same values. Previously, the <table style="border: 1px solid #ff0"> element was upcasted to <table borderStyle="{"top":"solid","right":"solid","bottom":"solid","left":"solid"}" borderColor="{...}" borderWidth="{...}">. Now the object will be replaced with the string value: <table borderStyle="solid" borderColor="#ff0" borderWidth="1px">. The same structure is created when using the editor's toolbar. If border values are not identical, the object notation will be inserted into the model (as it is now).
• table: The following classes require the second argument called defaultValue which is the default value for the command:
  • TableCellHorizontalAlignmentCommand,
  • TableCellVerticalAlignmentCommand,
  • TableCellBackgroundColorCommand,
  • TableCellBorderColorCommand,
  • TableCellBorderStyleCommand,
  • TableCellBorderWidthCommand,
  • TableCellHeightCommand,
  • TableCellPropertyCommand,
  • TableCellWidthCommand,
  • TableCellPaddingCommand,
  • TableAlignmentCommand,
  • TableBackgroundColorCommand,

... (truncated)

Changelog

Sourced from @​ckeditor/ckeditor5-font's changelog.

Changelog

All changes in the package are documented in the main repository. See: https://github.com/ckeditor/ckeditor5/blob/master/CHANGELOG.md.

Changes for the past releases are available below.

19.0.0 (2020-04-29)

Features

• Introduced the supportAllValues configuration for both FontSize and FontFamily plugins that allow preserving any font-family and font-size values when pasting or loading content. Closes ckeditor/ckeditor5#6165. Closes ckeditor/ckeditor5#2278. (b22efec)

Bug fixes

• Font size styles should be prefixed by the .ck-content class. Closes ckeditor/ckeditor5#6636. (b0b06db)

18.0.0 (2020-03-19)

Other changes

• Updated translations. (b0d7c53)

17.0.0 (2020-02-19)

MINOR BREAKING CHANGES

• normalizeColorOptions() and getLocalizedColorOptions() are no longer available in this package. You can import them from @ckeditor/ckeditor5-ui/src/colorgrid/utils instead.

Other changes

• Implemented lazy loading for the font color and background color dropdowns. This will reduce editor initialization time. Closes ckeditor/ckeditor5#6192. (165417c)
• Moved normalizeColorOptions() and getLocalizedColorOptions() to ckeditor5-ui (see [Table properties UI] Implement a rich color picker for table (and table cell) properties ckeditor/ckeditor5#6106). (c3e7673)
• Updated translations. (db84e7a)

Commits

• e670349 Release: v28.0.0.
• 182dda1 Internal: Updated dependencies. [skip ci]
• dac88f6 Merge branch 'ck/9134' of github.com:ckeditor/ckeditor5 into ck/9134
• fe45cf9 Bumped versions of ckditor5-dev-* packages.
• a420a7c Merge branch 'master' into ck/9134
• 32acf46 Minor corrections.
• cad8a72 Merge pull request #9685 from ckeditor/i/6642
• 8a7cec5 For all non-DLL packages - replaced the default export with module re-exporting.
• 6e44d34 Release: v27.1.0.
• d24c7bf Internal: Updated dependencies. [skip ci]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)